Your users can download keyloggers from an infected email (usually an attachment or a link to a malicious website), a USB drive or CD someone sent you (or you borrowed...bad boy/girl!), or even directly installed by an insider with access to the victim's computer.
Visa states that:
The particular key logger malware identified by Visa is equipped to send payment card data to a fixed e-mail or IP address accessible to the hacker. In these instances, the hacker is able to install key logger malware on the point of sale (POS) system due to insecure remote access and poor network configuration. Based on Visa’s review of the malware, it uses File Transfer Protocol (FTP) and Simple Mail Transfer Protocol (SMTP) on default ports (20, 21 and 25 respectively) to send data out of the network.The bulletin goes on to suggest a number of mitigation strategies.
BTW, for those of you who think you are immune or that no one would want your banking credentials, you obviously haven't read my previous warning. If that's not enough, you can check out Krebs on Security's latest example of bad things happening to good people.
Download the bulletin and think about your user training. The web is a dangerous place.